From d17aafd19a465fb9992d8189381adc3bdd488ead Mon Sep 17 00:00:00 2001 From: Julio Date: Sat, 5 Oct 2024 23:33:30 +0200 Subject: [PATCH] chore(ci): add renovate for golangci-lint, go and node version (#20236) Signed-off-by: ggjulio --- .github/dependabot.yml | 3 +- .github/workflows/ci-build.yaml | 3 + .github/workflows/image.yaml | 2 + .github/workflows/release.yaml | 2 + .github/workflows/update-go.yaml | 42 ------- .github/workflows/update-node.yaml | 42 ------- Makefile | 8 -- hack/installers/install-lint-tools.sh | 5 +- hack/update-go.sh | 38 ------ hack/update-node.sh | 33 ----- renovate-presets/custom-managers/shell.json5 | 16 +++ renovate-presets/custom-managers/yaml.json5 | 16 +++ .../openssf-merge-confidence-columns.json5 | 22 ++++ renovate.json | 113 ++++++++++++++++++ 14 files changed, 179 insertions(+), 166 deletions(-) delete mode 100644 .github/workflows/update-go.yaml delete mode 100644 .github/workflows/update-node.yaml delete mode 100755 hack/update-go.sh delete mode 100755 hack/update-node.sh create mode 100644 renovate-presets/custom-managers/shell.json5 create mode 100644 renovate-presets/custom-managers/yaml.json5 create mode 100644 renovate-presets/fix/openssf-merge-confidence-columns.json5 create mode 100644 renovate.json diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 56b7ce0e23f5d..7bb87b76e46f6 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -33,8 +33,7 @@ updates: interval: "daily" ignore: # We use consistent go and node versions across a lot of different files, and updating via dependabot would cause - # drift among those files. - # Use `make update-go` and `make update-node` to update these versions. + # drift among those files, instead we let renovate bot handle them. - dependency-name: "library/golang" - dependency-name: "library/node" diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml index 3ec2a9ea36fb0..9a8093ff2fe6e 100644 --- a/.github/workflows/ci-build.yaml +++ b/.github/workflows/ci-build.yaml @@ -13,6 +13,7 @@ on: env: # Golang version to use across CI steps + # renovate: datasource=golang-version packageName=golang GOLANG_VERSION: '1.23.1' concurrency: @@ -110,6 +111,7 @@ jobs: - name: Run golangci-lint uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1 with: + # renovate: datasource=go packageName=github.com/golangci/golangci-lint versioning=regex:^v(?\d+)\.(?\d+)\.(?\d+)?$ version: v1.61.0 args: --verbose @@ -305,6 +307,7 @@ jobs: - name: Setup NodeJS uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 with: + # renovate: datasource=node-version packageName=node versioning=node node-version: '22.8.0' - name: Restore node dependency cache id: cache-dependencies diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml index 9f7628a61c04d..e7e9e77b7a7ab 100644 --- a/.github/workflows/image.yaml +++ b/.github/workflows/image.yaml @@ -52,6 +52,7 @@ jobs: uses: ./.github/workflows/image-reuse.yaml with: # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) + # renovate: datasource=golang-version packageName=golang go-version: 1.23.1 platforms: ${{ needs.set-vars.outputs.platforms }} push: false @@ -68,6 +69,7 @@ jobs: quay_image_name: quay.io/argoproj/argocd:latest ghcr_image_name: ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }} # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) + # renovate: datasource=golang-version packageName=golang go-version: 1.23.1 platforms: ${{ needs.set-vars.outputs.platforms }} push: true diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a127c0d746d22..43aa01735b7f2 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -10,6 +10,7 @@ on: permissions: {} env: + # renovate: datasource=golang-version packageName=golang GOLANG_VERSION: '1.23.1' # Note: go-version must also be set in job argocd-image.with.go-version jobs: @@ -23,6 +24,7 @@ jobs: with: quay_image_name: quay.io/argoproj/argocd:${{ github.ref_name }} # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) + # renovate: datasource=golang-version packageName=golang go-version: 1.23.1 platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le push: true diff --git a/.github/workflows/update-go.yaml b/.github/workflows/update-go.yaml deleted file mode 100644 index ef4edac0a87d3..0000000000000 --- a/.github/workflows/update-go.yaml +++ /dev/null @@ -1,42 +0,0 @@ -# Update golang version on a daily basis and open a PR. -name: Update Go -on: - schedule: - - cron: '0 0 * * *' - -permissions: - contents: read - -jobs: - update-go: - permissions: - contents: write - pull-requests: write - if: github.repository == 'argoproj/argo-cd' - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - with: - token: ${{ secrets.GITHUB_TOKEN }} - - uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4 - - name: Update Go - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - make update-go - - # If there are no changes, quit early. - if [[ -z $(git status -s) ]]; then - echo "No changes detected" - exit 0 - fi - - pr_branch="update-go-$(echo $RANDOM | md5sum | head -c 20)" - git checkout -b "$pr_branch" - git config --global user.email 'ci@argoproj.com' - git config --global user.name 'CI' - git add . - git commit -m "[Bot] chore(dep): Update Go" --signoff - git push --set-upstream origin "$pr_branch" - gh pr create -B master -H "$pr_branch" --title '[Bot] chore(dep): Update Go' --body '' diff --git a/.github/workflows/update-node.yaml b/.github/workflows/update-node.yaml deleted file mode 100644 index 3a641b1d5a82c..0000000000000 --- a/.github/workflows/update-node.yaml +++ /dev/null @@ -1,42 +0,0 @@ -# Update Node version on a daily basis and open a PR. -name: Update Node -on: - schedule: - - cron: '0 0 * * *' - -permissions: - contents: read - -jobs: - update-node: - permissions: - contents: write - pull-requests: write - if: github.repository == 'argoproj/argo-cd' - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - with: - token: ${{ secrets.GITHUB_TOKEN }} - - uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4 - - name: Update Node - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - make update-node - - # If there are no changes, quit early. - if [[ -z $(git status -s) ]]; then - echo "No changes detected" - exit 0 - fi - - pr_branch="update-node-$(echo $RANDOM | md5sum | head -c 20)" - git checkout -b "$pr_branch" - git config --global user.email 'ci@argoproj.com' - git config --global user.name 'CI' - git add . - git commit -m "[Bot] chore(dep): Update Node" --signoff - git push --set-upstream origin "$pr_branch" - gh pr create -B master -H "$pr_branch" --title '[Bot] chore(dep): Update Node' --body '' diff --git a/Makefile b/Makefile index d6c097a87cfe3..d6f8cdf62d5d8 100644 --- a/Makefile +++ b/Makefile @@ -631,14 +631,6 @@ snyk-non-container-tests: snyk-report: ./hack/snyk-report.sh $(target_branch) -.PHONY: update-go -update-go: - ./hack/update-go.sh - -.PHONY: update-node -update-node: - ./hack/update-node.sh - .PHONY: help help: @echo 'Note: Generally an item w/ (-local) will run inside docker unless you use the -local variant' diff --git a/hack/installers/install-lint-tools.sh b/hack/installers/install-lint-tools.sh index e00ccda637517..d11c3f7d7b491 100755 --- a/hack/installers/install-lint-tools.sh +++ b/hack/installers/install-lint-tools.sh @@ -1,4 +1,7 @@ #!/bin/bash set -eux -o pipefail -GO111MODULE=on go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.61.0 +# renovate: datasource=go packageName=github.com/golangci/golangci-lint +GOLANGCI_LINT_VERSION=1.61.0 + +GO111MODULE=on go install "github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCI_LINT_VERSION}" diff --git a/hack/update-go.sh b/hack/update-go.sh deleted file mode 100755 index 08ea85d7d2f2c..0000000000000 --- a/hack/update-go.sh +++ /dev/null @@ -1,38 +0,0 @@ -#!/usr/bin/env bash - -# This script is used to update the Go version in the project. -# We use this because Dependabot doesn't support updating the Go version in all the places we use Go. - -set -e - -echo "Getting latest Go version..." - -# Get the current stable Go version. This assumes the JSON is sorted newest-to-oldest. -GO_VERSION=$(curl -s https://go.dev/dl/?mode=json | jq 'map(select(.stable == true))[0].version' -r) - -# Make sure the version number is semver. -if [[ ! "$GO_VERSION" =~ ^go[0-9]+\.[0-9]+\.[0-9]+$ ]]; then - echo "Failed to get the latest Go version." - exit 1 -fi - -# Remove the 'go' prefix from the version number. -GO_VERSION=${GO_VERSION#go} - -# Get the digest of the Go image. -DIGEST=$(crane digest "docker.io/library/golang:$GO_VERSION") - -echo "Updating to Go version $GO_VERSION with digest $DIGEST..." - -# Replace the Go image in the Dockerfile. -sed -r -i.bak "s/docker\.io\/library\/golang:[0-9.]+@sha256:[0-9a-f]+/docker.io\/library\/golang:$GO_VERSION@$DIGEST/" Dockerfile test/container/Dockerfile test/remote/Dockerfile -rm Dockerfile.bak test/container/Dockerfile.bak test/remote/Dockerfile.bak - -# Update the go version in ci-build.yaml, image.yaml, and release.yaml. -sed -r -i.bak "s/go-version: [0-9.]+/go-version: $GO_VERSION/" .github/workflows/ci-build.yaml .github/workflows/image.yaml .github/workflows/release.yaml -rm .github/workflows/ci-build.yaml.bak .github/workflows/image.yaml.bak .github/workflows/release.yaml.bak - -# Repeat for env var instead of go-version. -sed -r -i.bak "s/GOLANG_VERSION: '[0-9.]+'/GOLANG_VERSION: '$GO_VERSION'/" .github/workflows/ci-build.yaml .github/workflows/image.yaml .github/workflows/release.yaml -rm .github/workflows/ci-build.yaml.bak .github/workflows/image.yaml.bak .github/workflows/release.yaml.bak - diff --git a/hack/update-node.sh b/hack/update-node.sh deleted file mode 100755 index 42cfffad84fba..0000000000000 --- a/hack/update-node.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/usr/bin/env bash - -# This script is used to update the node version in the project. -# We use this because Dependabot doesn't support updating the Node version in all the places we use Node. - -set -e - -echo "Getting latest Node version..." - -# Get the current LTS node version. This assumes the JSON is sorted newest-to-oldest. -NODE_VERSION=$(curl -s https://nodejs.org/download/release/index.json | jq '.[0].version' -r) - -# Make sure the version number is semver with a preceding 'v'. -if [[ ! "$NODE_VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then - echo "Failed to get the latest Node version." - exit 1 -fi - -# Strip the preceding 'v' from the version number. -NODE_VERSION=${NODE_VERSION#v} - -# Get the manifest SHA of the library/node image. -DIGEST=$(crane digest "docker.io/library/node:$NODE_VERSION") - -echo "Updating to Node version $NODE_VERSION with digest $DIGEST..." - -# Replace the node image in the Dockerfiles. -sed -r -i.bak "s/docker\.io\/library\/node:[0-9.]+@sha256:[0-9a-f]+/docker.io\/library\/node:$NODE_VERSION@$DIGEST/" Dockerfile ui-test/Dockerfile test/container/Dockerfile -rm Dockerfile.bak ui-test/Dockerfile.bak test/container/Dockerfile.bak - -# Replace node version in ci-build.yaml. -sed -r -i.bak "s/node-version: '[0-9.]+'/node-version: '$NODE_VERSION'/" .github/workflows/ci-build.yaml -rm .github/workflows/ci-build.yaml.bak diff --git a/renovate-presets/custom-managers/shell.json5 b/renovate-presets/custom-managers/shell.json5 new file mode 100644 index 0000000000000..9ce3c1805d31e --- /dev/null +++ b/renovate-presets/custom-managers/shell.json5 @@ -0,0 +1,16 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "customManagers": [ + { + "description": "A generic custom manager for updating any shell scripts.", + "customType": "regex", + "fileMatch": [ + ".+\\.(?:bash|sh|ksh)$" + ], + "matchStrings": [ + "# renovate: datasource=(?.*?)(?: depName=(?.+?))? packageName=(?.+?)(?: versioning=(?.*?))?(?: extractVersion=(?.*?))?\\s.+?_VERSION\\s*=\\s*(?:'|\")(?[^(?:'|\")]+)(?:'|\")", + "# renovate: datasource=(?.*?)(?: depName=(?.+?))? packageName=(?.+?)(?: versioning=(?.*?))?(?: extractVersion=(?.*?))?\\s.+?_VERSION\\s*=\\s*(?[^'\"\\s]+)" + ] + } + ] +} \ No newline at end of file diff --git a/renovate-presets/custom-managers/yaml.json5 b/renovate-presets/custom-managers/yaml.json5 new file mode 100644 index 0000000000000..70cc6629ef756 --- /dev/null +++ b/renovate-presets/custom-managers/yaml.json5 @@ -0,0 +1,16 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "customManagers": [ + { + "description": "A generic custom manager for updating any yaml fields ending by *version: case incensitive", + "customType": "regex", + "fileMatch": [ + ".github\\/workflows.+\\.(?:yml|yaml)$" + ], + "matchStrings": [ + "# renovate: datasource=(?.*?)(?: depName=(?.+?))? packageName=(?.+?)(?: versioning=(?.*?))?(?: extractVersion=(?.*?))?\\s.+?((?i)VERSION)\\s*:\\s*(?:'|\")(?[^(?:'|\")]+)(?:'|\")", + "# renovate: datasource=(?.*?)(?: depName=(?.+?))? packageName=(?.+?)(?: versioning=(?.*?))?(?: extractVersion=(?.*?))?\\s.+?((?i)VERSION)\\s*:\\s*(?[^'\"\\s]+)" + ] + } + ] +} \ No newline at end of file diff --git a/renovate-presets/fix/openssf-merge-confidence-columns.json5 b/renovate-presets/fix/openssf-merge-confidence-columns.json5 new file mode 100644 index 0000000000000..b099487113bf5 --- /dev/null +++ b/renovate-presets/fix/openssf-merge-confidence-columns.json5 @@ -0,0 +1,22 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "description": "Merge the output of mergeConfidence:all-badges and security:openssf-scorecard. See https://github.com/renovatebot/renovate/discussions/25125 for rationale.", + "packageRules": [ + { + "matchPackagePatterns": [ + ".*" + ], + "prBodyColumns": [ + "Package", + "Type", + "Update", + "Change", + "Age", + "Adoption", + "Passing", + "Confidence", + "OpenSSF" + ] + } + ] +} \ No newline at end of file diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000000000..228b3d77f4616 --- /dev/null +++ b/renovate.json @@ -0,0 +1,113 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "dependencyDashboard": true, + "dependencyDashboardOSVVulnerabilitySummary": "all", + "osvVulnerabilityAlerts": true, + "reviewersFromCodeOwners": true, + "extends": [ + "config:best-practices", + "customManagers:dockerfileVersions", + "security:openssf-scorecard", + "mergeConfidence:all-badges", + "github>argoproj/argo-cd//renovate-presets/fix/openssf-merge-confidence-columns.json5", + "github>argoproj/argo-cd//renovate-presets/custom-managers/shell.json5", + "github>argoproj/argo-cd//renovate-presets/custom-managers/yaml.json5" + ], + "packageRules": [ + { + "description": "Disable all updates to avoid conflicts with dependabot, then enable what we want", + "matchPackageNames": [ + "*" + ], + "enabled": false + }, + { + "description": "Add label dependencies to all PRs", + "matchPackageNames": [ + "*" + ], + "labels": [ + "dependencies" + ] + }, + { + "description": "Enable node-version", + "matchDatasources": [ + "node-version" + ], + "addLabels": [ + "javascript" + ], + "enabled": true + }, + { + "description": "Enable golang-version", + "matchDatasources": [ + "golang-version" + ], + "addLabels": [ + "go" + ], + "enabled": true + }, + { + "description": "Enable some go modules", + "matchDatasources": [ + "go" + ], + "matchPackageNames": [ + "go", + "github.com/golangci/golangci-lint" + ], + "addLabels": [ + "go" + ], + "enabled": true + }, + { + "description": "Enable bump of golang version in go.mod", + "matchDatasources": [ + "golang-version" + ], + "rangeStrategy": "bump" + }, + { + "description": "Enable some docker images", + "matchDatasources": [ + "docker" + ], + "matchPackageNames": [ + "docker.io/library/node", + "docker.io/library/golang" + ], + "enabled": true + }, + { + "description": "Group golang-version packages", + "groupName": "golang version", + "matchDepNames": [ + "go", + "golang", + "docker.io/golang", + "docker.io/library/golang" + ] + }, + { + "description": "Group node-version packages", + "groupName": "node version", + "matchDepNames": [ + "node", + "docker.io/library/node" + ] + }, + { + "description": "an example to reduce noise by automerging pkgs that are safe to merge, multiple match fields can be used to reduce the scope of this rule...)", + "matchUpdateTypes": [ + "patch", + "pin", + "digest" + ], + "automerge": false + } + ] +}